Consumer Financial Protection Bureau helms multi-agency effort to scrutinize sale of Americans’ data

Federal agency leadership released new steps in protecting American citizens’ data from the data broker industry absent formal federal law, with the Consumer Financial Protection Bureau and Federal Trade Commission spearheading proposed rules that crack down on the usage of personal data. 

On Tuesday, the White House held a formal roundtable on protecting Americans from harmful data broker practices, featuring remarks from government officials representing the Consumer Financial Protection Bureau, the Federal Trade Commission and the White House Office of Science and Technology Policy that gave a summary of how the Biden administration is bringing a level of regulation to companies’ data harvesting practices.

A key part of the administration’s actions includes using existing federal law for increased oversight into data brokers, namely the Fair Credit Reporting Act. 

“Today, the CFPB is taking important steps under the Fair Credit Reporting Act to address potential abuses in the data brokerage sector,” said Lael Brainard, director of the White House National Economic Council. 

The CFPB’s proposed rules will target this industry by defining a “data broker” that sells a specific type of consumer data as a “consumer reporting agency” to better subject these businesses to existing regulations. 

The agency is also considering a proposal that would treat a broker’s data sales as a consumer report, depending on the data included. Criminal history, income and payment history were cited as examples of the types of data that would render a dossier eligible for the designation of a consumer report. 

A second proposal would allow the CFPB to clarify if “credit header data”–– which includes an individual’s name, Social Security number and date of birth –– is considered a consumer report. Since data brokers often collect and utilize this data, the CFPB is looking to understand how this data could be regulated under the Fair Credit Reporting Act. 

By next month, the CFPB will publish an outline of its intended rule proposals, which will be open for public comment in 2024. The agency is encouraging small businesses to help craft this rule prior to publication. 

CFPB Director Rohit Chopra said that the advent of generative and advanced artificial intelligence systems has further spurred the need for additional data protection regulations, given the increased demand for more monetized forms of data collection.

“The Consumer Financial Protection Bureau is pleased to be part of an all-of-government effort to tackle the risks associated with AI,” Chopra said. “After conducting an inquiry into the practices of data brokers in the surveillance industry, we have decided to launch a rulemaking to ensure that modern-day digital data brokers are not misusing or abusing our sensitive data.”

Chopra added that CFPB officials have learned more about the harms American citizens have suffered due to the abuse and mishandling of personal data, including improper victim identity disclosure and the facilitation of harassment and fraud. 

He noted that data brokers can leverage advanced technologies like AI to deepen the portfolios of online user data that can be exploited by a variety of third parties.

“Today’s surveillance firms have modern technology to build even more complex profiles about our searches, our clicks, our payments and our locations,” Chopra said. “These detailed dossiers can be exploited by scammers, marketers and anyone else willing to pay.”

In conjunction with CFPB, the FTC is also looking to take action to better safeguard Americans’ data. Chair Lina Khan explained that the FTC’s action is broadly characterized in four steps: bringing lawsuits against companies that violate individuals’ data privacy, pursuing remedial action against illegal data surveillance, scrutinizing businesses that demand users to input “seemingly limitless” personal data and examining potentially duplicitous practices that trick users into disclosing unnecessary information.

“We at the FTC have been focused on how we can use all of our tools to protect people from data abuses,” Khan said. “One major throughline across our work is moving past the fiction that notifications and disclosures are sufficient to gain people's consent.”

In recent months, the FTC has levied fines against private sector companies that have inappropriately handled user data, such as Weight Watchers, GoodRX and BetterHelp. 

“There's a lot more work to be done, and I'm so thrilled to have the partnership with so many in this room,” she added during the White House conference.

The announcement marks a significant step toward greater national data protection and regulation, something the U.S. notably lacks among allied nations. On the congressional side, lawmakers with a history of supporting tech-focused legislation have vocalized support for the joint-agency venture.

“Director Chopra deserves credit for following up on my recommendation to plug the ‘credit header’ loophole that let credit bureaus sell consumers’ private information to shady data brokers,” said Sen Ron Wyden, D-Ore., who previously sent Chopra a letter requesting more oversight into the sale of Americans’ data, said in a statement applauding the initiative. “No one who signs up for utilities or a home loan is actually giving consent to have their Social Security number and personal details sold on the open market. This change is long overdue.”